Re: HOWTO CentOS nasty login security bug fix
- --- In email@example.com, "thad_floryan" <thad@...> wrote:
> --- In firstname.lastname@example.org, Scott <scottro@> wrote:Heh, I see you, Scott, commented on this previously:
> > On Fri, Mar 30, 2012 at 07:20:42PM -0000, thad_floryan wrote:
> > > Though I'm overall extremely pleased with CentOS 6.2, there's a dumb
> > > login security bug for which there's a simple fix.
> > >
> > > Long story short: the login screen presents a pick'n'choose list of
> > > valid user names for the system.
> > > [...]
> > > Do RHEL logins work that way also?
> > Yup, if it's in CentOS it's in RHEL.
> Which implies also Oracle Linux and Scientific Linux which are both
> based on RHEL.
The final answer from Red Hat (Mike Grima):
" There is a problem with the proposed gconf configuration command
" that supposedly fixes the problem: it kills smart card login
" Increasingly, many secure environments are using smart cards to
" control access to their systems, and thus, this command is not a
" proper workaround to this problem.
" I am currently in the process of submitting a support ticket for
" this to be resolved, because this is very serious. Displaying
" all available user accounts on the system is a major security
" problem that is unacceptable for an enterprise class OS, such as
" This is a major regression from RHEL 5 which did not present a
" user list, and also allowed for proper smart card login support.
" This problem should, at the very least, be addressed in RHEL 6.3
" or 6.4.
Foo on the smartcards. The gconf solution fixes the problem TODAY,
not 2-3 years from now.
Is everyone at Red Hat that dense?